What is Threat Modeling?

Author Mike McPhee

As Sun Tzu might advise, “If know the enemy and know yourself, you need not fear the result of a hundred battles.” Let’s focus on “knowing yourself” first. We introduced this as an important step to Threat Hunting in a prior post. All organizations should start by identifying and scoping the environment’s key assets, data types, and security controls (both technical and process related). What are you trying to protect? Why are they important? Who needs or uses those things? Threat Modeling is the proactive process that helps you understand and address security risks before they can be exploited by attackers. This requires an understanding of both the environment to be protected and the way threats might overcome those defenses.

While most organizations believe they have a grasp of this information, facilitated workshops, independent audits and assessments will improve the accuracy and completeness of your assessment. The system isn’t limited to the technologies involved but must also include the people and the processes that operate and govern the technologies. To perform threat modeling, you must systematically analyze the system’s architecture, design, and functionality to identify potential weaknesses and then develop strategies to mitigate those weaknesses. You must also assess the capabilities and weaknesses of the various stakeholders involved to offer a complete view. In addition to the SOC’s personnel, any other engineering, systems administrators, partners, and even end users should be factored into your analysis. No one should escape.

A notional Threat Modeling Process

Holistically, an overall Threat Modeling Process might follow a course similar to this:

1. Scope Definition: Identify the scope of the threat modeling exercise. Determine the boundaries of the system, application, or environment you are analyzing.

2. Asset Identification: Identify the valuable assets, data, components, and resources within the scope of analysis. This helps prioritize what needs protection.

3. Threat Identification: Identify potential threats and attack vectors that could compromise the security of the assets. Threats can include malicious actors, technical vulnerabilities, software flaws, or any weaknesses that could be exploited. This is the Threat Picture!

4. Vulnerability Analysis: Examine the system’s architecture, design, and implementation to identify vulnerabilities or weaknesses that could be exploited by the identified threats.

5. Attack Surface Analysis: Determine the possible entry points or attack surfaces that an attacker could use to exploit vulnerabilities and gain unauthorized access.

6. Risk Assessment: Evaluate the potential impact and likelihood of each threat. Prioritize threats based on their potential to cause harm and the probability of occurrence.

7. Countermeasure Identification: Develop and propose security controls, safeguards, and countermeasures to mitigate or eliminate identified vulnerabilities. These measures aim to reduce the risk associated with each threat.

8. Documentation: Document the entire threat modeling process, including the identified threats, vulnerabilities, risks, and corresponding mitigation strategies. This documentation serves as a reference for stakeholders and future reviews.

9. Validation and Review: Review the threat model with relevant stakeholders, including developers, architects, and security experts. Ensure that the threat model accurately represents the system and its potential risks.

10. Iterate and Improve: Threat modeling is an ongoing process. Regularly review and update the threat model as the system evolves, new threats emerge, or changes are made to the architecture.

Everyone loves to focus on the baddies – but you’ll notice that only one of the above bullets discusses them. The rest of Threat Modeling is super dependent on you knowing more about yourself, or more specifically – knowing about the environment you protect. We’ll get into that very soon.

About the Author: Mike McPhee is a Cybersecurity Architect with Cisco based in New York, covering Commercial customers along the US East Coast. He has worked for 11 years and focused on consulting on the architecture and designs of security and network infrastructures. With expertise in systems engineering, security frameworks, threat intelligence, and both red and blue team operations, Mike helps craft actionable strategies, develop training, steer product roadmaps, and enable security operators. His relevant certifications include the GIAC Security Expert (#339) & 11 other GIAC certifications, as well as Cisco’s CCIE Routing & Switching, CCIE Security, and Cisco Certified Design Expert. He has a Master of Science in Information Security Engineering from the SANS Technical Institute, an MBA, and a BS degree. Mike has authored two books, several research papers, and a patent.